Tuesday, March 30, 2010

Microsoft has released a new patch for Internet Explorer, and no, your calendar isn't off, this is NOT the Second Tuesday of the month. According to the Microsoft Security Advisory, updated today, the reason for the out-of-band release was that the vulnerability described in CVE-2010-0806, "Uninitilized Memory Corruption Vulnerability", was being widely seen in the wild.

Interestingly, Microsoft thanks Chinese security company "VenusTech" for providing them notice of that exploit.

Absolutely. On March 10th the exploit was added to the MetaSploit framework, and instructions on how to use the exploit immediately hopped on many hacker boards. We saw it first on the replacement for Milw0rm, XpltDB: Exploit-DB.com.

Here is just a sampling of some of the places its being openly discussed:

hackua.com - the Ukrainian hacking forum, had a post on March 14, 2010 by "Dementor" explaining the use of the exploit, which quoted the HD Moore version, including the comments about the exploit being observed in the wild by Red-Sec, who observed the exploit on the website www.topix21century.com

0day.net in Guizhou province, China, had the Chinese language version of the discussion beginning on March 12th, posted by the owner of the forum, asphack. He provided a .rar file of the exploit from his website, asphack.com.

exploit.in, which despite the India country code is a Russian language website carrying banner ads for various Russian-language cybercrime sites, such as "InstallsMarket", "SecretsLine VPN", and "EvaPharmacy". As an example of those, InstallsMarket will install your malware on 1,000 US-based bots for $100. Interesting place to be discussing IE vulnerabilities, no?

Several Chinese hacker sites linked back to: BBS.pediy.com. Their very active "Software Debugging Forum" had several members contributing suggested improvements to the shell code. 45 replies to the thread so far, but the thread has been read almost 5,000 times!

Sunday, March 28, 2010

Lots of little newsworthy updates recently . . . they've been well-covered elsewhere, but we wanted to make sure our readers saw them as well.

Russia: Safe Haven no more?

One of the constant complaints that we hear is "the criminal is probably in Russia", as an excuse for why a case is not worth investigating. Back on November 11, 2009, we posted a story The $9 Million World-wide Bank Robbery, where VIKTOR PLESHCHUK, 28, of St. Petersburg, Russia; SERGEI TŠURIKOV, 25, of Tallinn, Estonia; and OLEG COVELIN, 28, of Chişinău, Moldova were charged with leading the robbery, which actually occurred in 2008. This week the Financial Times has revealed that Viktor Pleshchuk was arrested by the FSB. Their story leads with:

Russia has quietly arrested several suspects in one of the world's biggest cyberbank thefts, raising hopes of a previously unseen level of official co-operation in a country that has been a haven for criminals.

Other sources, for instance Bank Info Security News have confirmed that Sergei and Oleg were also arrested by the FSB at the same time.

Your Federal Friends on Facebook?

Pasquale Manfredi isn't exactly a nice guy. The authorities have wanted to arrest him for some time because of his naughty habits such as assassinating his enemies by shooting a bazooka at their car. The Daily Mail says that he also maintained a Facebook account under the name "Georgie", with Al Pacino's "ScarFace" as his Profile picture. According to The Register, authorities used intelligence gathered from his Facebook page to identify his location and successfully make the arrest. (Image from Daily Mail)

Twitter Hacker in France

"Hacker Croll" an unemployed 25-year-old hacker who lived with his parents had his moment of fame after breaking into the Twitter accounts of President Obama and Britney Spears. The AP story says he was arrested by French police, who have released him to reappear on June 24th for his trial. The hacker calls himself "more of a pirate than a hacker", and has explained his method to the police. French prosecutor, Jean-Yves Coquillat, says the young man was acting on a bet, and that he is "the sort who likes to claim responsibility for what he's done." According to an AFP Story TechCrunch had received more than 300 documents belonging to Twitter employees that were provided by Hacker Croll. Twitter has acknowledged that they seem legitimate.

The report lists the Ten Riskiest Cities, and then gives a list of recommendations, the first of which is of course to buy Security software. (#2 - keep your computer patched, and #3 - Stay Educated about current threats. They recommend www.everyclickmatters.com for that. I actually would add to that recommendation that geeks should read this blog and non-geeks should visit StaySafeOnline.org, a great site by the NCSA that has advice for Home users, K-12, Higher Ed, and Small Business users.

PC World's JR Raphael reported today on The 50 Riskiest Cities for Cybercrime in America, from the same Symantec report. Disappointed that your city is not on the list? I was too. No Birmingham, Alabama, which points out a flaw in the methodology. The Symantec report assumes that the greatest dangers are in the most wired cities (rate goes up for broadband acceptance, wifi hotspots, etc.)

I honestly believe that a different look at the numbers would show that rates of cybercrime are higher in places with higher populations of retired computer users, a lower education (or at least CYBER education) level, and places where computers have only recently been added to the home and are new to concepts of email and online banking. These are likely to be the exact opposite places as found in the Symantec report.

Just to look at a couple examples . . .

Symantec says Seattle is #1 for Cybercrime.The FTC Consumer Sentinel put them at #78 for complaints about Fraud.The FTC Consumer Sentinel put them at #148 for complaints about Identity Theft.

Symantec says Boston is #2 for Cybercrime.The FTC Consumer Sentinel put them at #254 for complaints about Fraud.The FTC Consumer Sentinel put them at #252 for complaints about Identity Theft.

Symantec says Washington DC is #3 for Cybercrime.The FTC Consumer Sentinel put them at #36 for complaints about Fraud.The FTC Consumer Sentinel put them at #82 for complaints about Identity Theft.

Symantec definitely considers other factors that WOULD increase with higher rates of acceptance - bots like high speed broadband, and if you have more computer users, you'll have more spammers, etc. They are in a unique position to model that, and I give them their due for studying their numbers and sharing them with the public. But . . . I think when most people think about Cyber Crime Risk, they want to know if they are going to have their money or their identities stolen. The Symantec model just doesn't answer that question very well.

What is the FTC's Consumer Sentinel? Funny you should ask!

FTC's Consumer Sentinel Report

One way of spot-checking the data would be to review what the likely threats are in each city based on actual criminal complaints. Its called the "Consumer Sentinel" report from the Federal Trade Commission. Each year about this time, the FTC puts out their annual report gathered from a variety of sources, including the FBI's Internet Crime & Complaint Center (IC3.gov), one of the best places a consumer can report cyber crime victimization.

This year's Consumer Sentinel Network Data Book for January - December 2009 was released on February 22nd. 1.3 Million complaints were received, including 721,418 complaints of online Fraud were made to the network, with 630,604 victims reporting average losses of $2,721 for a total of $1.7 Billion in fraud losses last year.

48% of those frauds were originated by email - part of the reason that the UAB Spam Data Mine is such an important part of our research at UAB. With $850 Million worth of fraud being linked to email last year, we think email-based crimes are well worth studying.

The Consumer Sentinel report breaks down complaints per capita on a state-by-state in the categories of "Identity Theft" and "Fraud & Other Complaints".

The Top Ten states for Identity Theft:(# = Complaints per 100,000 residents)

1. Florida

122.3

2. Arizona

119.4

3. Texas

116.4

4. California

114.2

5. Nevada

106

6. New Mexico

98

7. Georgia

97.2

8. New York

95

9. Colorado

93.8

10. Illinois

91.8

(17. Alabama)

76.2

Top Ten States for Fraud & Other Complaints

1. Nevada

412.9

2. Arizona

412.4

3. Texas

397.2

4. California

393.6

5. Nevada

391.7

6. New Mexico

377.7

7. Georgia

376.1

8. New York

369.3

9. Colorado

366.8

10. Illinois

361.9

(20. Alabama)

296.1

Top Ten Large Metropolitan Areas for Fraud and Other Consumer Complaints# per 100,000 residents

1. Mount Vernon-Anacortes, WA

684.7

2. Dunn, NC

684.3

3. Greeley, CO

656.8

4. Boulder, CO

640.5

5. Allegan, MI

631.4

6. Gainesville, GA

625.5

7. Roseburg, OR

618.5

8. Thomasville-Lexington, NC

617.8

9. Eugene-Springfield, OR

564.9

10. Montgomery, AL

549.8

171. Birmingham-Hoover, AL

351.5

Top Ten Large Metropolitan Areas for Identity Theft Complaints# per 100,000 residents

1. Brownsville-Harlingen, TX

262.4

2. McAllen-Edinburg-Mission, TX

247.4

3. Laredo, TX

196

4. Miami-Fort Lauderdale-Pompano Beach, FL

193.2

5. Madera, CA

180.9

6. Dunn, NC

173.8

7. Merced, CA

172.7

8. Corpus Christi, TX

171.3

9. Greeley, CO

169.4

10. Bakersfield, CA

168.2

11. Visalia-Porterville, CA

168.2

12. Thomasville-Lexington, NC

160.4

13. Montgomery, AL

155.8

Consumer Reports "State of the Net"

I first heard about the Consumer Reports "State of the Net" survey when I attended the National Press Club kick-off for "October is Cyber Security Awareness Month" in 2008 and met Jeffrey Fox, the Consumer Reports Technology Editor. I was amazed by the quality of the data! Finally we could make some reasonable statements about the level of phishing losses to consumers! We'll hopefully see the 2010 edition soon, but in the meantime, let me recommend their work from June 2009, Boom Time For Cybercrime, where they estimate the cost of cybercrime to $8 Billion per year.

Why is their number so much larger than the number from the Federal Trade Commission Report? The FTC report is ACTUAL VICTIMS who have taken the time to report their victimization to one of the agencies represented in the Consumer Sentinel. The Consumer Reports model builds a statistically supported model and surveys enough folks to project across the entire US population. For instance, Consumer Reports says that 1 in 13 online households in the US knows that they gave their personal information to a phisher during the previous two years, and that 1 in 7 of these lost money (so 1 in 90 households lost money to phishing - or roughly $483 Million). Their costs also include other damages however, such as the fact that 1 in 12 households replaced a computer in the past six months due to "serious problems" with viruses or spyware ($1.7 Billion), and that 1 in 7 households had experienced a "serious" virus problem ($5.8 Billion in clean-up costs).

Alabama's Top Cities for Fraud and Identity Theft

Here's a little special section for friends in Alabama (where UAB is based)

Alabama had 8,546 Fraud Complaints, for $13,739,250 in losses last year.Alabama also had 3,586 Identity Theft Complaints.

Thursday, March 11, 2010

Hacker sites and foreign press are picking up the story today of the arrest of at least 23 hackers in 13 different provinces in Turkey. The news was first seen in Russian on 09MAR2010, but is now spreading into the English speaking press, with more details available.

News.AZ ran the story 23 Kurdish hackers arrested in Turkey, which provides some basic facts that the hackers are associated with the Kurdistan Workers' Party, or PKK, and were taken to Diyarbakır for further questioning. This article calls the hacker team the "Cold Attack Team", and says that it took orders from leaders in Kandil in Iraq and in Europe regarding what websites to hack and what messages to place there. It also mentions that the hackers distributed a PowerPoint attachment via email which would trojan the readers computer.

It is unknown if this story is related to news first released in February about another PKK hacker. A story in Today's Zaman provides a bit more depth, PKK hacker faces up to 10 years in prison, identifying the leader of a PKK hacker group as having been apprehended on November 14th, and charged with "acquiring state secrets and confidential documents on behalf of the PKK terrorist organization". The indictment unveiled by a Diyarbakır prosecutor reveals that the hacker, who they call by his initials, R.Ç., had classified documents on his computer belonging to Turkey's National Intelligence Organization, the Milli Istihbarat Teskilati (MİT), and evidence that the hacker had an "online friendship" with Murat Karayılan, who leads the PKK in northern Iraq. R.Ç. claims he was introduced to Murat by a friend in France, and that they gained the classified documents through "computer virus programs he placed on pornographic Web sites visited by army members."

Wednesday, March 10, 2010

This morning I was reading a report from Kenneth Paschal, a member of the UAB Phishing Operations research team, that contained an interesting group of new phishing sites. The campaign advertises an "HM Revenue & Customs" page using an email with this message body:

After the last annual calculations of your fiscal activity, we have determined that you are eligible to receive a tax refund of 988.50 GBP. Please submit the tax refund request and allow us 2-3 days in order to process it.

Click Here to submit your tax refund request

Note : A refund can be delayed a variety of reasons, for example submitting invalid records or applying after deadline.

Best Regards

HM Revenue & Customs

The so-called "Tax Refund Portal" looks like this:

Each of the icons takes the visitor to a very professional looking phishing site to have the credentials for that bank stolen. The banks currently making up the pool including:

We had previously seen seventeen such phishing sites, in July and August of 2009, but the front has been quiet until March 1st. A quick peek into the UAB PhishURLs database shows that we're seeing an escalated number of these sites being created.

The UAB Spam Data Mine had samples in our March 6th spam at 12:30 AM, 1:30 AM, 4:30 AM and 5:45 AM spam collections for "planet-promo.de/roxx/logs/hmrc/hmrc/refundportal.htm". After that site was terminated, the bad guys relaunched in our 12:15 PM spam collection with "www.examsheets.net/images/hmrc/hmrc/refundportal.htm". As you can see, many others have followed.

We'll continue to watch for emerging patterns like this one, and share with you what we find. For now, be wary of this "Tax Refund Portal"!

Monday, March 08, 2010

The Energizer DUO, a USB-powered battery recharger, was confirmed on Friday by Energizer Holdings to contain malicious code. According to this Energizer Press Release, they were notified by the CERT Coordination Center that the Windows software that ships with their DUO Charger "contains a vulnerability".

Energizer has discontinued sale of this product and has removed the site to download the software. In addition, the company is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer. This will eliminate the vulnerability. In addition CERT and Energizer recommend that users remove a file that may remain after the software has been removed. The file name is Arucer.dll, which can be found in the Window system32 directory.

Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software. Additional technical information can be found at http://www.kb.cert.org/vuls/id/154421.

Apparently Unix tutorial author Ed Schaller was the one who reported the malware to US-CERT. US-CERT then asked Symantec to evaluate the malware, which was written up by Liam Murchu in the Symantec Security Response Blog.

According to the US-CERT article, Arucer.dll is launched in the traditional way, with a "rundll32" call from the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key.

The hashes for the malware file, Arucer.dll, which is 28,672 bytes in size, are:

US-CERT indicates that the file properties indicate the file was written on a Chinese computer. (Language set = 0x0804)

The detection on that malware as of last night is still pretty sketchy according to VirusTotal. In this VirusTotal Report for Arucer.dll it showed that only 9 of 42 anti-virus products would have triggered on this malware. Microsoft, Sunbelt, and Symantec are now detecting it as "Arugizer" (or Arurizer in Microsoft's case). F-secure, Fortinet, McAfee, and Sophos are also detecting.

Although Symantec's Liam indicates they were able to download the software from the Energizer website on Friday, all links we could find for the downloadable package, formerly at: hxxp://www.energizer.com/usbcharger/download/UsbCharger_setup_V1_1_1.exenow redirect to an Energizer homepage.

If you REALLY want to trojan yourself, perhaps your best bet is to buy one of these systems from a third party, such as Amazon.com who still offers Energizer Charger USB Duo for $16.99.

Symantec reports that after infection, the machine begins to listen on port 7777. Valid commands which can be sent to that port are in the form of XOR'ed CLSIDs, with the list being:

which seems to indicate a wide-range of possibilities from this trojan.

Gregg Keizer wrote a nice piece for ComputerWorld on this topic: Energizer Bunny's software infects PCs, which reminds us that in 2007 Seagate shipped trojaned drives, and Apple shipped some trojaned iPods, and that in 2008 Best Buy sold Digital Picture frames with attack code in them.

Friday, March 05, 2010

I've always regretted not attending the RSA conference with more than 500 speakers in 15 different tracks, and perhaps never so much as this year. A special disappointment was not attending the Secure Computing Awards dinner where this year they gave out their first Blogger Awards, including "Most Popular Security Blogger", which was awarded to Gary Warner, author of Cybercrime & Doing Time! Thanks to my friends and readers who voted.

Howard Schmidt - U.S. Cybersecurity Coordinator

I was excited when the announcement was made that Howard Schmidt was the new Cybersecurity Coordinator for President Obama, primarily because I've had the chance to see this man's passion for cybersecurity. Howard and I are both InfraGard members, and one of the most impressive times I saw him was in Knoxville, Tennessee where we were back-to-back speakers for the their "October is Cybersecurity Awareness Month" conference. Not only was Howard speaking there, he actually had 40 speaking engagements during the 31 days of the month to address audiences about the importance of Cybersecurity Awareness! I can't think of a more energetic or appropriate person to be in this new position!

Howard began his talk with a discussion of the evolution of cyber security, comparing it to the evolution of fire fighting. He described how after people got tired of watching buildings burn down, we started building them near rivers so we could have a ready source of water to try to put out the fire. Then we had a volunteer fire department that could help prevent things from burning to the ground. We trained them how to put out fires. Later we started looking at how to keep fire's from being so devastating. We came up with "building codes" to make less flammable buildings. Why do we still have anything that can catch on fire in a building? Because we have to. Since we couldn't stop every fire, we put sprinkler systems in buildings. Will things still catch on fire? Sure. But hopefully we'll put them out quickly.

Then he made all the similar cybersecurity comparisons, leading up to his new role in the administration, representing President Obama, and working with Intelligence, Law Enforcement, Defense, and civil agencies to try to build a Secure, Trustworthy, and Resilient computing infrastructure.

In many ways his new job is to respond to the Near Term action items on the Cyber Policy Review completed by Melissa Hathaway. He used most of his talk to provide an update on the ten items:

He also discussed the "open information" approach of President Obama's administration. I recall attending a briefing by Cornelius Tate in 2008 where he talked about EINSTEIN and the Trusted Internet Connections program for one of the first times publicly. Even then, all he could say about the other ten initiatives of the CNCI was that they were classified.

The Comprehensive National Cybersecurity Initiative (CNCI) has been reclassified so that we at least know what the twelve areas of the CNCI are. (These are now available on WhiteHouse.gov/cybersecurity/ => CNCI (html) or CNCI (pdf))

Wednesday, March 03, 2010

Several mailing lists have been buzzing in the aftermath of the recent shutdown attempts against the Waledac network. The results of this shutdown can best be seen by visiting the Waledac tracker run by our friend Jeremy at SudoSecure.

Prior to the action of Microsoft's Digital Crimes Unit in their Operation b49, Waledac was propagating itself with more than 200 Chinese-registered domain names, and was found just in December to have sent more than 651 million emails just to hotmail.com recipients! In response to their action in court, "Microsoft Corporation v. John Does 1-27", the unusual motion was granted to have Verisign terminate the domains in light of the refusal of China Springboard to cooperate. In the days immediately following this action, the final few domain names were terminated, most recently "frostep.com" and "walkali.com".

Waledac was a peer-to-peer / P2P botnet that uses fast-flux hosting of Chinese registered domain names in order to guarantee long-life to itself. Waledac was often called the successor to the Storm botnet because the bots do not communicate directly with the "true" Command & Control, but rather have a "peer list" which they are in constant contact with. Bots make queries either to their hard-coded peers, or by asking one of the bot-controlled domain names for a file, usually a .gif, .jpg, or .png file. Instead of receiving back a graphics file however, they receive back a custom-coded reply which either gives them an instruction, or causes them to update their spam template or receiving email list.

Some excellent research has been performed on Waledac in recent months, including the "Walowdac" research project lead by Thorsten Holz and researchers at the University of Mannheim and the University of Vienna (Ben Stock, Jan Gobel, Markus Engelberth, Felix Freiling). Their custom-crafted Waledac clone was able to fully communicate with the botnet, but did not send spam. They found that Waledac had an average size of 55,000 active bots on any given day (August 6, 2009 - September 1, 2009).

At UAB we had mostly focused on alerting the public of various attempts by the Waledac network to spread itself via email, including:

Are those numbers "true"? Every security company has a different opinion on the size and strength and spam volume of the various botnets. What I can say is "their estimates are based on sound logic".

One of my personal favorites for sizing spamming botnets is the guys over at M86 Security with their weekly chart called Tracking Spam Botnets. Here's their most recent graphic:

Looking at the historical data over at their website, although we can talk about the Top Ten, Rustock has been the top spamming botnet since at least July, and currently is responsible for 50.7% of all the spam on the planet! I've challenged this over-emphasis on Rustock with their researchers, actually while they were still "Marshal", and as I said above, "their estimates are based on sound logic".

Another of my favorite spam trackers is MessageLabs. These guys produce fantastic intelligence that is quite accessible in their monthly Messagelabs Intelligence Reports. I'll call special attention to their 2009 Annual Security Report which had as a major theme "Botnets Bounce Back with Sharpened Survival Skills".

(by the way - FireEye has the best low-down on the Pushdo/Cutwail botnet and its current Command & Control structure.)

Cautions are already being expressed as a result of the Waledac take-down, that by using TECHNOLOGY to do the takedowns instead of CRIMINAL JUSTICE APPROACHES that we are just helping to rapidly evolve the capabilities of the various cyber criminals who make their living through spam.

We have to move from DISABLING the C&C networks, to MONITORING the C&C networks. Bad guys need to stop worrying about having to lease new servers, and start worrying about the long arm of the law knocking at their door. Its why we do what we do the way we do at UAB. Our Computer Forensics Research program partners the Computer & Information Sciences department with the Justice Sciences department, and draws heavily on graduate students and faculty members from both departments to help make a better informed and better equipped cybercrime investigator with the goal of changing the way we fight cybercrime.

Update:

Today Panda Labs released details of the takedown of the Mariposa Botnet. This botnet, run by the DDP Team (Días de Pesadilla Team), had a shocking discovery at the end - TWELVE MILLION IP addresses were making regular contact with the C&C servers! From the article:

On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30, a.k.a. “jonyloleante”, and J.B.R., 25, a.k.a. “ostiator”. Both of them were arrested on February 24, 2010."